fix(mastodon): mount host user into container properly
This commit is contained in:
parent
6a0924c72c
commit
275976f1e6
GPG Key ID:
03624C433676E465
@ -11,6 +11,8 @@ mastodon_data_path: "{{ mastodon_base_path }}/data"
|
||||
mastodon_repo_path: "{{ mastodon_base_path }}/src"
|
||||
mastodon_config_path: "{{ mastodon_base_path }}/config"
|
||||
mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
|
||||
mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
|
||||
mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
|
||||
mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
|
||||
mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
|
||||
mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
|
||||
@ -29,7 +31,9 @@ mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_c
|
||||
mastodon_container_networks:
|
||||
- name: "{{ mastodon_container_network_name }}"
|
||||
|
||||
mastodon_container_base_volumes_streaming: []
|
||||
mastodon_container_base_volumes_streaming:
|
||||
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
|
||||
- "{{ mastodon_config_group_file }}:/etc/group:ro"
|
||||
mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
|
||||
mastodon_container_volumes_streaming: >-
|
||||
{{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
|
||||
@ -42,6 +46,8 @@ mastodon_container_volumes_sidekiq: >-
|
||||
|
||||
mastodon_container_base_volumes:
|
||||
- "{{ mastodon_repo_path }}/public:/mastodon/public:z"
|
||||
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
|
||||
- "{{ mastodon_config_group_file }}:/etc/group:ro"
|
||||
mastodon_container_extra_volumes: []
|
||||
mastodon_container_volumes: >-
|
||||
{{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}
|
||||
|
||||
@ -43,6 +43,24 @@
|
||||
mode: "0640"
|
||||
notify: restart-mastodon-nginx
|
||||
|
||||
- name: Ensure fake passwd file is templated
|
||||
template:
|
||||
src: passwd.j2
|
||||
dest: "{{ mastodon_config_passwd_file }}"
|
||||
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
|
||||
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
|
||||
mode: "0644"
|
||||
notify: restart-mastodon
|
||||
|
||||
- name: Ensure fake passwd file is templated
|
||||
template:
|
||||
src: group.j2
|
||||
dest: "{{ mastodon_config_group_file }}"
|
||||
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
|
||||
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
|
||||
mode: "0644"
|
||||
notify: restart-mastodon
|
||||
|
||||
- name: Ensure mastodon git repository is present and up-to-date
|
||||
git:
|
||||
repo: "{{ mastodon_git_upstream_url }}"
|
||||
@ -52,6 +70,8 @@
|
||||
force: no
|
||||
recursive: yes
|
||||
track_submodules: yes
|
||||
become: yes
|
||||
become_user: "{{ mastodon_user }}"
|
||||
register: git_repo_info
|
||||
|
||||
- name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
|
||||
@ -131,6 +151,7 @@
|
||||
command: "node ./streaming"
|
||||
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||
ports: "{{ mastodon_container_ports_streaming }}"
|
||||
user: "{{ mastodon_user }}"
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
|
||||
interval: 5s
|
||||
@ -148,7 +169,7 @@
|
||||
command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
|
||||
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||
ports: "{{ mastodon_container_ports }}"
|
||||
user: "{{ mastodon_user }}"
|
||||
user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
|
||||
interval: 5s
|
||||
@ -156,6 +177,12 @@
|
||||
start_period: 0s
|
||||
timeout: 5s
|
||||
|
||||
- name: Ensure container paths belong to the mastodon user
|
||||
community.docker.docker_container_exec:
|
||||
container: "{{ mastodon_container_name }}"
|
||||
command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
|
||||
user: "0"
|
||||
|
||||
- name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
|
||||
docker_container:
|
||||
name: "{{ mastodon_container_nginx_name }}"
|
||||
@ -165,12 +192,7 @@
|
||||
restart_policy: "{{ mastodon_container_restart_policy }}"
|
||||
|
||||
- name: Ensure assets are precompiled
|
||||
docker_container:
|
||||
name: "{{ mastodon_container_name }}"
|
||||
env_file: "{{ mastodon_config_env_file }}"
|
||||
command: "bash -c \"bundle exec rails assets:precompile\""
|
||||
user: "{{ mastodon_user }}"
|
||||
tty: yes
|
||||
interactive: yes
|
||||
detach: no
|
||||
community.docker.docker_container_exec:
|
||||
container: "{{ mastodon_container_name }}"
|
||||
command: "bundle exec rails assets:precompile"
|
||||
when: git_repo_info.before != git_repo_info.after
|
||||
|
||||
40
roles/mastodon/templates/group.j2
Normal file
40
roles/mastodon/templates/group.j2
Normal file
@ -0,0 +1,40 @@
|
||||
root:x:0:
|
||||
daemon:x:1:
|
||||
bin:x:2:
|
||||
sys:x:3:
|
||||
adm:x:4:
|
||||
tty:x:5:
|
||||
disk:x:6:
|
||||
lp:x:7:
|
||||
mail:x:8:
|
||||
news:x:9:
|
||||
uucp:x:10:
|
||||
man:x:12:
|
||||
proxy:x:13:
|
||||
kmem:x:15:
|
||||
dialout:x:20:
|
||||
fax:x:21:
|
||||
voice:x:22:
|
||||
cdrom:x:24:
|
||||
floppy:x:25:
|
||||
tape:x:26:
|
||||
sudo:x:27:
|
||||
audio:x:29:
|
||||
dip:x:30:
|
||||
www-data:x:33:
|
||||
backup:x:34:
|
||||
operator:x:37:
|
||||
list:x:38:
|
||||
irc:x:39:
|
||||
src:x:40:
|
||||
gnats:x:41:
|
||||
shadow:x:42:
|
||||
utmp:x:43:
|
||||
video:x:44:
|
||||
sasl:x:45:
|
||||
plugdev:x:46:
|
||||
staff:x:50:
|
||||
games:x:60:
|
||||
users:x:100:
|
||||
nogroup:x:65534:
|
||||
{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:
|
||||
20
roles/mastodon/templates/passwd.j2
Normal file
20
roles/mastodon/templates/passwd.j2
Normal file
@ -0,0 +1,20 @@
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||||
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||||
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||||
sync:x:4:65534:sync:/bin:/bin/sync
|
||||
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
||||
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
||||
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
||||
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
||||
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
|
||||
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
|
||||
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
|
||||
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|
||||
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
|
||||
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
|
||||
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
|
||||
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
|
||||
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
||||
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
|
||||
{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh
|
||||
Loading…
Reference in New Issue
Block a user